Było AMVO, coś chyba zostało

Dla specjalistów Bezpieczeństwo
#1

Jak w tytule; prawie wszystko udało sie naprawić (w robocie był ComboFix, FlashDisk Disinfector) ale:

  • np przy próbie uruchomienia płyty z PC world “nie jest prawidłową aplikacją systemu Win32”

  • błąd odmowy dostępu przy msconfig

  • jeszcze trochę wolny, mimo użycia Ashampoo i CCleaner

  • Avira wykrył ostatnio crypt Xpack.Gen oraz Xema.A

logi z ComboFix i Hijack (a propos - E: to DVD, zapomniałem wyjąć wcześniej wspomnianą płytkę)

ComboFix 08-11-13.02 - M i S 2008-11-15 19:11:37.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.65 [GMT 1:00]

Uruchomiony z: c:\documents and settings\M i S\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

E:\autorun.inf . . . . nie udało się usunąć

.

((((((((((((((((((((((((( Pliki utworzone od 2008-10-15 do 2008-11-15 )))))))))))))))))))))))))))))))

.

2008-11-15 18:16 . 2008-11-15 18:16

2008-11-15 16:07 . 2008-11-15 16:07

2008-11-14 22:19 . 2008-11-14 22:24

2008-11-14 22:19 . 2008-11-14 22:19

2008-11-14 20:47 . 2008-11-14 20:47

2008-11-14 20:47 . 2008-11-14 20:47

2008-11-14 14:48 . 2008-10-24 12:21 455,296 -----c— c:\windows\system32\dllcache\mrxsmb.sys

2008-11-14 14:47 . 2008-09-04 18:17 1,106,944 -----c— c:\windows\system32\dllcache\msxml3.dll

2008-11-07 17:08 . 2008-11-07 17:08

2008-11-07 17:08 . 2008-11-07 17:08

2008-11-07 17:08 . 2008-11-07 17:08

2008-11-07 17:08 . 2008-11-07 17:08

2008-11-07 17:06 . 2008-11-07 17:08

2008-11-07 16:59 . 2008-11-07 16:59

2008-11-07 16:32 . 2008-11-07 16:32

2008-11-06 21:39 . 2008-11-15 16:02

2008-11-06 20:26 . 2008-11-06 20:26

2008-11-06 20:26 . 2008-11-06 20:26

2008-11-06 13:41 . 2008-11-06 13:41

2008-11-06 13:15 . 2008-11-07 16:28

2008-11-06 13:15 . 2008-11-14 22:21

2008-11-06 12:47 . 2008-11-13 02:20

2008-11-06 12:33 . 2008-11-06 12:33

2008-11-06 01:36 . 2008-11-06 01:36

2008-11-06 01:11 . 2008-11-06 01:11

2008-11-06 01:11 . 2008-11-15 16:02

2008-11-06 01:11 . 2008-11-06 01:13

2008-11-04 18:45 . 2008-11-07 09:13 69 --a------ c:\windows\NeroDigital.ini

2008-10-26 12:34 . 2005-06-10 14:29 2,920,448 --------- c:\windows\NuNinst.exe

2008-10-26 12:34 . 2004-07-26 17:16 1,568,768 --------- c:\windows\system32\ImagX7.dll

2008-10-26 12:34 . 2004-07-26 17:16 476,320 --------- c:\windows\system32\ImagXpr7.dll

2008-10-26 12:34 . 2004-07-26 17:16 471,040 --------- c:\windows\system32\ImagXRA7.dll

2008-10-26 12:34 . 2004-07-26 17:16 262,144 --------- c:\windows\system32\ImagXR7.dll

2008-10-26 12:34 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2008-10-26 12:34 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll

2008-10-26 12:34 . 2005-06-17 17:08 59,483 --------- c:\windows\NuNinst.cfg

2008-10-26 12:33 . 2008-10-26 12:33

2008-10-26 12:33 . 2008-10-26 12:34

2008-10-26 12:33 . 2008-10-26 12:34

2008-10-26 12:33 . 2005-06-10 17:12 99,584 --------- c:\windows\system32\drivers\InCDfs.sys

2008-10-26 12:33 . 2005-06-10 17:11 29,696 --------- c:\windows\system32\drivers\InCDpass.sys

2008-10-26 12:33 . 2005-06-10 15:11 28,160 --------- c:\windows\system32\drivers\InCDrm.sys

2008-10-26 12:33 . 2003-12-05 10:46 10,368 --------- c:\windows\system32\drivers\pfc.sys

2008-10-26 12:33 . 2005-06-10 17:12 8,704 --------- c:\windows\system32\drivers\InCDrec.sys

2008-10-26 12:31 . 2008-10-26 12:32

2008-10-26 12:31 . 2005-03-31 22:17 40,960 --a------ c:\program files\Uninstall_CDS.exe

2008-10-23 20:40 . 2008-10-15 17:36 337,408 -----c— c:\windows\system32\dllcache\netapi32.dll

2008-10-19 13:21 . 2008-08-14 14:26 2,146,816 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-19 13:21 . 2008-09-15 16:27 1,846,656 -----c— c:\windows\system32\dllcache\win32k.sys

2008-10-19 13:21 . 2008-09-08 11:41 333,824 -----c— c:\windows\system32\dllcache\srv.sys

2008-10-19 13:20 . 2008-08-14 14:26 2,190,464 -----c— c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-19 13:20 . 2008-08-14 14:26 2,067,328 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-19 13:20 . 2008-08-14 14:26 2,025,472 -----c— c:\windows\system32\dllcache\ntkrpamp.exe

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-14 21:59 --------- d-----w c:\documents and settings\M i S\Dane aplikacji\OpenOffice.ux.pl2

2008-11-06 12:58 --------- d–h--w c:\program files\InstallShield Installation Information

2008-11-06 00:08 --------- d-----w c:\documents and settings\M i S\Dane aplikacji\Lavasoft

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-28 12:44 --------- d-----w c:\program files\Common Files\Adobe

2008-09-15 15:27 1,846,656 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:15 1,307,648 ------w c:\windows\system32\msxml6.dll

2008-09-04 17:17 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-20 05:11 668,672 ----a-w c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Odkurzacz-MCD”=“d:\program files\Odkurzacz\odk_mcd.exe” [2007-05-03 264704]

“Gadu-Gadu”=“c:\program files\Gadu-Gadu\gg.exe” [2008-03-20 2127296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avgnt”=“c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

“NoResolveTrack”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

“vidc.ffds”= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]

–a------ 2008-06-17 15:00 1249280 c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

–a------ 2008-06-18 13:31 1122816 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2006-11-24 00:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“avast! Web Scanner”=3 (0x3)

“avast! Mail Scanner”=3 (0x3)

“avast! Antivirus”=2 (0x2)

“aswUpdSv”=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

“Adobe Photo Downloader”=“c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”

“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe”

“InCD”=c:\program files\Ahead\InCD\InCD.exe

“NeroFilterCheck”=c:\windows\system32\NeroCheck.exe

“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” -atboottime

“SpyHunter Security Suite”=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

“avast!”=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusDisableNotify”=dword:00000001

“UpdatesDisableNotify”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-14 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-14 20560]

S3 ATE_PROCMON;ATE_PROCMON;??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

S3 MEMSWEEP2;MEMSWEEP2;??\c:\windows\system32\46.tmp []

.

.

------- Skan uzupełniający -------

.

FireFox -: Profile - c:\documents and settings\M i S\Dane aplikacji\Mozilla\Firefox\Profiles\2e9s4pu9.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-15 19:17:28

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

“ImagePath”="??\c:\windows\system32\46.tmp"

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Ahead\InCD\InCDsrv.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\system32\wdfmgr.exe

.

**************************************************************************

.

Czas ukończenia: 2008-11-15 19:21:54 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2008-11-15 18:21:43

Przed: 28,574,904,320 bajtów wolnych

Po: 28,562,059,264 bajtów wolnych

160 — E O F — 2008-11-14 15:10:37

oraz

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:24, on 2008-11-15

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min

O4 - HKCU…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

End of file - 4980 bytes

#2

przeskanuj komputer Kaspersky stronę uruchomić przez a74e846c6b2c8867.jpg

gdy będą wirusy pokaż raport lub Dr.Web Cure It!

#3

Kaspersky nic nie wykrył, Dr. Web też nic (nota bene znalazłem tylko jakąś starszą wersję, pod innym adresem)

#4

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052

  1. Wejdz w start >>> uruchom >>> cmd i wpisz:

SC DELETE EVXHJOQHIIUX

SC DELETE MEMSWEEP2

SC DELETE SDHS

  1. Wejdz w start >>> uruchom >>> regedit i idź do klucza HKEY_LOCAL_MACHINE\system\ControlSet001\Services i skasuj MEMSWEEP2

  2. Wykonaj skan Dr. Web CureIt + raport

  3. Daj loga z mbr.exe